Microsoft changes course, opens kernel code through APIs

After several weeks of heated fingerpointing from major security firms about getting locked out of Windows Vista, Microsoft has slightly switched course with two key security features in the soon-to-be-released operating system.

Microsoft had come under fire recently by security leaders at companies such as Symantec and McAfee for two of the new security features in Vista.

The first is Windows Security Center (WSC), a new monitoring pane that keeps track of firewall, patches and virus protection. Third-party security vendors cried foul when beta testing showed that WSC popped up simultaneous warnings for problems that the security software also warned about. They were concerned that such redundancy would cause a high amount of consumer confusion and anxiety. In a press teleconference on Friday, Microsoft announced that it would allow vendors to turn off these simultaneous warnings when their third-party software is installed.

Most of the concern has centered around the new PatchGuard feature, which the company designed as protection of the kernel code from malicious rootkits. Third-party vendors, complained that the feature was a way to lock security companies out of the kernel and prevent them from innovating better protection products.

They claimed that after many months of working with Microsoft, the executives at the Redmond, Wash.-company refused to work with them to provide access under the hood of PatchGuard to accomplish this. The move, they claimed, was Microsoft's way of jockeying for better positioning as it entered the security market with its Windows Live OneCare suite of products.

Microsoft has largely stood firm in its decision not to disable PatchGuard for any vendor, as this would make it easier for malevolent forces to circumvent the new protection, said Stephen Toulouse, senior product manager for Microsoft's Security Technology Unit.

However, at the same teleconference late last week the company announced that it will provide better access to kernel code through Application Programming Interfaces (APIs), he said.

"Based on feedback from both partners as well as the European Commission we've been working on different ways that we can make sure that we're partnering with a variety of different vendors big and small to make sure that the platform is more secure fundamentally as well as providing opportunities for software providers to build solutions for customers because we know that's what customers want," Toulouse said.

He emphasized that while the company will provide better access to kernel code, it still will not disable PatchGuard and, most importantly, will not allow the kernel to be modified while it is running.

A source from McAfee said that as of Monday the company has not received the APIs. Until they are delivered it is hard to say whether they will provide enough information to facilitate the development of security products for the operating system, the spokesperson said.

However, some security companies believe that recent complaints from the market leaders are unfounded.

"Our stance is different," says Corey O'Donnell of Authentium, which develops security software and services for rebranding to companies such as Cox Communications. "Looking at McAfee, specifically, who was very doomsdayish in their prediction that security software wouldn't function or they would not be able to write effective software with the limitations Microsoft imposed with Vista, our answer to that is, ‘You guys are just being silly.' It just takes hard work."

O'Donnell said Authentium has already found ways to work around PatchGuard regardless of these new API offerings.

"We begin with the presumption that it is not our place to tell Microsoft what kind of product to deliver," he said. "Ultimately, the hackers get whatever Microsoft delivers. And then they set out to beat it. Our job is to act like those guys — figure out how it is going to be beat and then engineer ways to block those vulnerabilities."

O'Donnell said that to some extent he in his colleagues at Authentium were a little disappointed to hear about the recent announcement, as they believe that the APIs will act as a roadmap for hackers to make their way through PatchGuard defenses.

"To some extent, the API issue makes it easier for not just good hackers, but now mediocre hackers to get through PatchGuard," he said. "We would have preferred to see Microsoft move toward a certification system where they worked to identify the good guys from the bad, basically identifying drivers as good or bad."

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.